enable authentication-only RawEn/DecryptionMaterials

mattsb42-aws · mattsb42-aws · commit abcc934f4502 · 2018-04-27T18:58:33.000-07:00
diff --git a/src/dynamodb_encryption_sdk/materials/raw.py b/src/dynamodb_encryption_sdk/materials/raw.py
@@ -51,7 +51,10 @@ class RawEncryptionMaterials(EncryptionMaterials):
     """
 
     _signing_key = attr.ib(validator=attr.validators.instance_of(DelegatedKey))
-    _encryption_key = attr.ib(validator=attr.validators.instance_of(DelegatedKey))
+    _encryption_key = attr.ib(
+        validator=attr.validators.optional(attr.validators.instance_of(DelegatedKey)),
+        default=None
+    )
     _material_description = attr.ib(
         validator=dictionary_validator(six.string_types, six.string_types),
         converter=copy.deepcopy,
@@ -60,7 +63,7 @@ class RawEncryptionMaterials(EncryptionMaterials):
 
     def __attrs_post_init__(self):
         """Verify that the encryption key is allowed be used for raw materials."""
-        if not self._encryption_key.allowed_for_raw_materials:
+        if self._encryption_key is not None and not self._encryption_key.allowed_for_raw_materials:
             raise ValueError('Encryption key type "{}" does not allow use with RawEncryptionMaterials'.format(
                 type(self._encryption_key)
             ))
@@ -93,6 +96,9 @@ def encryption_key(self):
         :returns: Encryption key
         :rtype: dynamodb_encryption_sdk.delegated_keys.DelegatedKey
         """
+        if self._encryption_key is None:
+            raise AttributeError('No encryption key available')
+
         return self._encryption_key
 
 
@@ -113,7 +119,10 @@ class RawDecryptionMaterials(DecryptionMaterials):
     """
 
     _verification_key = attr.ib(validator=attr.validators.instance_of(DelegatedKey))
-    _decryption_key = attr.ib(validator=attr.validators.instance_of(DelegatedKey))
+    _decryption_key = attr.ib(
+        validator=attr.validators.optional(attr.validators.instance_of(DelegatedKey)),
+        default=None
+    )
     _material_description = attr.ib(
         validator=dictionary_validator(six.string_types, six.string_types),
         converter=copy.deepcopy,
@@ -122,7 +131,7 @@ class RawDecryptionMaterials(DecryptionMaterials):
 
     def __attrs_post_init__(self):
         """Verify that the encryption key is allowed be used for raw materials."""
-        if not self._decryption_key.allowed_for_raw_materials:
+        if self._decryption_key is not None and not self._decryption_key.allowed_for_raw_materials:
             raise ValueError('Decryption key type "{}" does not allow use with RawDecryptionMaterials'.format(
                 type(self._decryption_key)
             ))
@@ -155,4 +164,7 @@ def decryption_key(self):
         :returns: Decryption key
         :rtype: dynamodb_encryption_sdk.delegated_keys.DelegatedKey
         """
+        if self._decryption_key is None:
+            raise AttributeError('No decryption key available')
+
         return self._decryption_key
diff --git a/test/functional/materials/__init__.py b/test/functional/materials/__init__.py
@@ -0,0 +1,13 @@
+# Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You
+# may not use this file except in compliance with the License. A copy of
+# the License is located at
+#
+# http://aws.amazon.com/apache2.0/
+#
+# or in the "license" file accompanying this file. This file is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
+# ANY KIND, either express or implied. See the License for the specific
+# language governing permissions and limitations under the License.
+"""Dummy stub to make linters work better."""
diff --git a/test/functional/materials/test_raw.py b/test/functional/materials/test_raw.py
@@ -0,0 +1,39 @@
+# Copyright 2018 Amazon.com, Inc. or its affiliates. All Rights Reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License"). You
+# may not use this file except in compliance with the License. A copy of
+# the License is located at
+#
+# http://aws.amazon.com/apache2.0/
+#
+# or in the "license" file accompanying this file. This file is
+# distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF
+# ANY KIND, either express or implied. See the License for the specific
+# language governing permissions and limitations under the License.
+"""Functional test suite for ``dynamodb_encryption_sdk.materials.raw``."""
+import pytest
+
+from dynamodb_encryption_sdk.delegated_keys.jce import JceNameLocalDelegatedKey
+from dynamodb_encryption_sdk.materials.raw import RawDecryptionMaterials, RawEncryptionMaterials
+
+pytestmark = [pytest.mark.functional, pytest.mark.local]
+
+
+def test_no_encryption_key():
+    signing_key = JceNameLocalDelegatedKey.generate('HmacSHA512', 256)
+    encryption_materials = RawEncryptionMaterials(signing_key=signing_key)
+
+    with pytest.raises(AttributeError) as excinfo:
+        encryption_materials.encryption_key
+
+    excinfo.match('No encryption key available')
+
+
+def test_no_decryption_key():
+    verification_key = JceNameLocalDelegatedKey.generate('HmacSHA512', 256)
+    decryption_materials = RawDecryptionMaterials(verification_key=verification_key)
+
+    with pytest.raises(AttributeError) as excinfo:
+        decryption_materials.decryption_key
+
+    excinfo.match('No decryption key available')
